[libvirt-users] simple network and firewalld errors

Daniel P. Berrange berrange at redhat.com
Mon Mar 2 09:26:17 UTC 2015 

On Sun, Mar 01, 2015 at 06:26:45PM +0000, lejeczek wrote:
> hi everybody
> I have a simple network:
> 
> <network>
>   <name>default</name>
>   <uuid>1e71fa47-4893-4435-8b60-575d2b51c231</uuid>
>   <forward mode='nat'>
>     <nat>
>       <port start='1024' end='65535'/>
>     </nat>
>   </forward>
>   <bridge name='virbr0' stp='on' delay='0' />
>   <mac address='52:54:00:58:47:4b'/>
>   <ip address='192.168.4.1' netmask='255.255.255.0'>
>     <dhcp>
>       <range start='192.168.4.2' end='192.168.4.254' />
>     </dhcp>
>   </ip>
> </network
> 
> and I wonder what might be wrong, I get many errors in firewalld when I
> restart libvirtd
> 
>  Main PID: 13194 (firewalld)
>    CGroup: /system.slice/firewalld.service
>            └─13194 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
> 
> 2015-03-01 17:12:46 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete FORWARD --out-interface virbr0 --jump REJECT' failed: iptables: No
> chain/target/match by that name.
> 2015-03-01 17:12:46 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete FORWARD --in-interface virbr0 --jump REJECT' failed: iptables: No
> chain/target/match by that name.
> 2015-03-01 17:12:47 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53
> --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
> that chain?).
> 2015-03-01 17:12:47 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53
> --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
> that chain?).
> 2015-03-01 17:12:47 ERROR: COMMAND_FAILED: '/sbin/iptables --table mangle
> --delete POSTROUTING --out-interface virbr0 --protocol udp
> --destination-port 68 --jump CHECKSUM --checksum-fill' failed: iptables: No
> chain/target/match by that name.
> 2015-03-01 17:12:48 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67
> --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
> that chain?).
> 2015-03-01 17:12:48 ERROR: COMMAND_FAILED: '/sbin/iptables --table filter
> --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67
> --jump ACCEPT' failed: iptables: Bad rule (does a matching rule exist in
> that chain?).
> 2015-03-01 17:36:03 ERROR: NOT_ENABLED
> 2015-03-01 17:36:04 ERROR: NOT_ENABLED
> 2015-03-01 18:19:35 ERROR: NOT_ENABLED

Ignore these, these are not errors. Firewallds design makes it impossible
for it to distinguish real errors from failures that the caller expects
to happen. Libvirt is running these commands to ensure the rules in
question do not exist, and it expects them to give errors most of the
time. There is no way for libvirt to stop these errors getting into
firewallds logs.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvirt-users mailing list